Giving away the store
In the August 2001 issue of ÆGIS we discussed a case of moral outrage (internal and external) about an overenthusiastic competitive intelligence project. Without rehashing the details (you can go back and read it), the indignation was caused by the fact the people involved lied about who they were in conversations, and that they trespassed in order to take documents from dumpsters, rather than waiting until the trash had become public property.
It is interesting to note that there was virtually no mention of the fact that the information heard was sensitive information that was freely told to the callers (independent of whom they might have pretended to be), nor of the fact that sensitive documents were freely discarded, un-shredded, in behavior that the less-charitable-than-we might have characterized as acting stupid in the smart zone. There was apparently no OPSEC plan in place, and apparently no appropriate action had been taken to keep this sort of thing from happening.
We have seen time and time again that in most incidents of this type there are two willing partners: Those who seek information, and those who choose to either give it away or fail to understand that it should be protected. Part of the problem comes from not identifying what information you don’t want others to have, and then making sure that all the internal players know this. If you don’t know what information you need to protect, it is unlikely that you will protect it. If you don’t tell people not to give it away, they probably will give it away. Remember that you often have conflicting goals with information, with marketing and sales people pressuring to release information to create demand in a timely manner, with that same timely manner giving your competitors an opportunity to ramp up to compete with you.
Keep in mind, however, that we do not live in a perfect world, and that you cannot secure yourself from all loss stemming from the release of non-trade secret information. For a start, there are some very clever people out there who are able to look at seemingly non-related things and figure out what is going on. In addition, there is information that you can’t, due to government public-record disclosure requirements, keep secret. Nonetheless, in a country which faces a $300 billion dollar bill for lost information every year, it pays to take at least some appropriate actions – starting with an OPSEC program – to protect information, rather than simply giving it away.